[Freeipa-users] Re: DNS - IPA masters' own PTR records in a classless subnet
On 29/10/2019 09:23, Alexander Bokovoy wrote: > On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote: >> On 28/10/2019 12:16, Alexander Bokovoy wrote: >>> On ma, 28 loka 2019, lejeczek via FreeIPA-users wrote: On 23/10/2019 12:28, lejeczek via FreeIPA-users wrote: > hi everybody > > when I install a replica and have DNS use cname records to a > classless > zone I see: > > Configuring DNS (named) > [1/8]: generating rndc key file > [2/8]: setting up our own record > [error] ValidationError: invalid 'cnamerecord': CNAME record is not > allowed to coexist with any other record (RFC 1034, section 3.6.2 > .. > > This happens if the replica has existing ptr record at the time of > installation. > If I remove ptr record for the replica from the parent reverse zone > (all managed by the same IPA) then installation proceeds but should > masters' records in reverse zone be in resolved with/via cnames in > classless subnet? (which howto says it should - > https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation) > > > Or should IPA be not hosting the parent zone if itself is in a > classless IP subnet? > It's bit confusing to me I confess. > > many thanks, L. > > ___ > Not even IPA's own devel would comment? Is what I wrote above somewhat unclear? Should I try to rephrase it better? >>> >>> Yes, please provide more details, like examples of your DNS zone and >>> records. The error message points you to RFC and concrete section about >>> the problem already. >> >> my IPA is locate in a classless subnet 10.5.5.128/25. >> >> If I setup IPA with --reverse-zone=128/25.10.5.5.in-addr.arpa then >> installer creates two rev zones: >> >> 128/25.10.5.5.in-addr.arpa & 10.5.5.in-addr.arpa >> >> Now, if prior to subsequent masters installation I create PTR records >> and I follow: >> https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation >> (which will make 10.5.5.in-addr.arpa use cnames) then when I install a >> replica which already has PTR records I get: >> >> Configuring DNS (named) >> [1/8]: generating rndc key file >> [2/8]: setting up our own record >> [error] ValidationError: invalid 'cnamerecord': CNAME record is not >> allowed to coexist with any other record (RFC 1034, section 3.6.2 >> .. >> >> What confuses me when I think about it - if I remove ptr(or rather >> cname) record from the parent reverse zone (10.5.5.in-addr.arpa) then >> installation proceeds of that subsequent masters proceeds okey and then >> I think... >> >> Should that mean that IPA should/can not be setup on/as classless subnet >> the way that howto instructs? > > Yes, this howto predates FreeIPA 3.2. The change was done in the > following commit that removed support for this: > > commit 42c401a87795fe3a2067155460ae276ad2d3e360 > Author: Martin Kosek > Date: Tue Apr 2 11:58:31 2013 +0200 > > Improve CNAME record validation > Refactor DNS RR conflict validator so that it is better > extensible in > the future. Also check that there is only one CNAME defined for > a DNS record. > PTR+CNAME record combination is no longer allowed as we found > out it > does not make sense to have this combination. > https://fedorahosted.org/freeipa/ticket/3450 > > > >> I can change records in partent zone(to which IPA installers inserted >> PTR records) to use cname and forward to 128/25.10.5.5.in-addr.arpa >> later, and IPA seems to work okey, but... I was hoping for >> no-doubts-clarification case that all makes me bit uncertain. > > May be you could provide modification to the howto? > > I'd love to but first I have to be certain about things I would want to put in there. and I still have questions... IPA installers, when setting up without forwarders and a parent zone for/of a classless subnet does not exists, insist & create parent zone(s) because a) IPA servers' own PTR records cannot!! be resolved via cname b) because parent rev zone was not found and parent zone must exist c) a & b many thanks, L. pEpkey.asc Description: application/pgp-keys ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: DNS - IPA masters' own PTR records in a classless subnet
On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote: On 28/10/2019 12:16, Alexander Bokovoy wrote: On ma, 28 loka 2019, lejeczek via FreeIPA-users wrote: On 23/10/2019 12:28, lejeczek via FreeIPA-users wrote: hi everybody when I install a replica and have DNS use cname records to a classless zone I see: Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [error] ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2 .. This happens if the replica has existing ptr record at the time of installation. If I remove ptr record for the replica from the parent reverse zone (all managed by the same IPA) then installation proceeds but should masters' records in reverse zone be in resolved with/via cnames in classless subnet? (which howto says it should - https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation) Or should IPA be not hosting the parent zone if itself is in a classless IP subnet? It's bit confusing to me I confess. many thanks, L. ___ Not even IPA's own devel would comment? Is what I wrote above somewhat unclear? Should I try to rephrase it better? Yes, please provide more details, like examples of your DNS zone and records. The error message points you to RFC and concrete section about the problem already. my IPA is locate in a classless subnet 10.5.5.128/25. If I setup IPA with --reverse-zone=128/25.10.5.5.in-addr.arpa then installer creates two rev zones: 128/25.10.5.5.in-addr.arpa & 10.5.5.in-addr.arpa Now, if prior to subsequent masters installation I create PTR records and I follow: https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation (which will make 10.5.5.in-addr.arpa use cnames) then when I install a replica which already has PTR records I get: Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [error] ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2 .. What confuses me when I think about it - if I remove ptr(or rather cname) record from the parent reverse zone (10.5.5.in-addr.arpa) then installation proceeds of that subsequent masters proceeds okey and then I think... Should that mean that IPA should/can not be setup on/as classless subnet the way that howto instructs? Yes, this howto predates FreeIPA 3.2. The change was done in the following commit that removed support for this: commit 42c401a87795fe3a2067155460ae276ad2d3e360 Author: Martin Kosek Date: Tue Apr 2 11:58:31 2013 +0200 Improve CNAME record validation Refactor DNS RR conflict validator so that it is better extensible in the future. Also check that there is only one CNAME defined for a DNS record. PTR+CNAME record combination is no longer allowed as we found out it does not make sense to have this combination. https://fedorahosted.org/freeipa/ticket/3450 I can change records in partent zone(to which IPA installers inserted PTR records) to use cname and forward to 128/25.10.5.5.in-addr.arpa later, and IPA seems to work okey, but... I was hoping for no-doubts-clarification case that all makes me bit uncertain. May be you could provide modification to the howto? -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: DNS - IPA masters' own PTR records in a classless subnet
On 28/10/2019 12:16, Alexander Bokovoy wrote: > On ma, 28 loka 2019, lejeczek via FreeIPA-users wrote: >> On 23/10/2019 12:28, lejeczek via FreeIPA-users wrote: >>> hi everybody >>> >>> when I install a replica and have DNS use cname records to a classless >>> zone I see: >>> >>> Configuring DNS (named) >>> [1/8]: generating rndc key file >>> [2/8]: setting up our own record >>> [error] ValidationError: invalid 'cnamerecord': CNAME record is not >>> allowed to coexist with any other record (RFC 1034, section 3.6.2 >>> .. >>> >>> This happens if the replica has existing ptr record at the time of >>> installation. >>> If I remove ptr record for the replica from the parent reverse zone >>> (all managed by the same IPA) then installation proceeds but should >>> masters' records in reverse zone be in resolved with/via cnames in >>> classless subnet? (which howto says it should - >>> https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation) >>> >>> Or should IPA be not hosting the parent zone if itself is in a >>> classless IP subnet? >>> It's bit confusing to me I confess. >>> >>> many thanks, L. >>> >>> ___ >>> >> Not even IPA's own devel would comment? >> >> Is what I wrote above somewhat unclear? Should I try to rephrase it >> better? > > Yes, please provide more details, like examples of your DNS zone and > records. The error message points you to RFC and concrete section about > the problem already. my IPA is locate in a classless subnet 10.5.5.128/25. If I setup IPA with --reverse-zone=128/25.10.5.5.in-addr.arpa then installer creates two rev zones: 128/25.10.5.5.in-addr.arpa & 10.5.5.in-addr.arpa Now, if prior to subsequent masters installation I create PTR records and I follow: https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation (which will make 10.5.5.in-addr.arpa use cnames) then when I install a replica which already has PTR records I get: Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [error] ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2 .. What confuses me when I think about it - if I remove ptr(or rather cname) record from the parent reverse zone (10.5.5.in-addr.arpa) then installation proceeds of that subsequent masters proceeds okey and then I think... Should that mean that IPA should/can not be setup on/as classless subnet the way that howto instructs? I can change records in partent zone(to which IPA installers inserted PTR records) to use cname and forward to 128/25.10.5.5.in-addr.arpa later, and IPA seems to work okey, but... I was hoping for no-doubts-clarification case that all makes me bit uncertain. > > I would also point out that people tend to live their own lives. There > are might be holidays, vacations, hard times (no ability to look at > community mailing lists, etc). Do not expect that every email will be > answered immediately and even in a week or two. We are humans, not > robots. While there is an effort to help, there are also no obligations > to answer every single question. > > I'm of the same mind. That was why I sat quiet & waited patiently for five days then I though I'd gently poke about again. I agree, I do not nor I think anybody should expect here 3-hours response business service in any shape of form. I think everybody here knows it. many thanks, L. pEpkey.asc Description: application/pgp-keys ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: DNS - IPA masters' own PTR records in a classless subnet
On ma, 28 loka 2019, lejeczek via FreeIPA-users wrote: On 23/10/2019 12:28, lejeczek via FreeIPA-users wrote: hi everybody when I install a replica and have DNS use cname records to a classless zone I see: Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [error] ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2 .. This happens if the replica has existing ptr record at the time of installation. If I remove ptr record for the replica from the parent reverse zone (all managed by the same IPA) then installation proceeds but should masters' records in reverse zone be in resolved with/via cnames in classless subnet? (which howto says it should - https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation) Or should IPA be not hosting the parent zone if itself is in a classless IP subnet? It's bit confusing to me I confess. many thanks, L. ___ Not even IPA's own devel would comment? Is what I wrote above somewhat unclear? Should I try to rephrase it better? Yes, please provide more details, like examples of your DNS zone and records. The error message points you to RFC and concrete section about the problem already. I would also point out that people tend to live their own lives. There are might be holidays, vacations, hard times (no ability to look at community mailing lists, etc). Do not expect that every email will be answered immediately and even in a week or two. We are humans, not robots. While there is an effort to help, there are also no obligations to answer every single question. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: DNS - IPA masters' own PTR records in a classless subnet
On 23/10/2019 12:28, lejeczek via FreeIPA-users wrote: > hi everybody > > when I install a replica and have DNS use cname records to a classless > zone I see: > > Configuring DNS (named) > [1/8]: generating rndc key file > [2/8]: setting up our own record > [error] ValidationError: invalid 'cnamerecord': CNAME record is not > allowed to coexist with any other record (RFC 1034, section 3.6.2 > .. > > This happens if the replica has existing ptr record at the time of > installation. > If I remove ptr record for the replica from the parent reverse zone > (all managed by the same IPA) then installation proceeds but should > masters' records in reverse zone be in resolved with/via cnames in > classless subnet? (which howto says it should - > https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation) > Or should IPA be not hosting the parent zone if itself is in a > classless IP subnet? > It's bit confusing to me I confess. > > many thanks, L. > > ___ > Not even IPA's own devel would comment? Is what I wrote above somewhat unclear? Should I try to rephrase it better? thanks, L. pEpkey.asc Description: application/pgp-keys ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
